5 Replies Latest reply on Jul 23, 2013 2:23 AM by TKremer

    VPro OoB Managment with SCCM 2012 SP1 CU1 Problems

    TKremer

      Hello dear VPro Experts,

       

      i discovered some problems while trying to manage VPRo Clients with SCCM 2012, perhaps someone has some tips for me.

       

      After bringing OoB Provisioning to work under SCCM 2007 we startet migrating to SCCM 2012.

      Now i have some problems getting it to work again. The machines I tried to provision are fully

      unprovisioned, the MEBx Password is set to our standard Password.

      We double checked the Prerequisites from the MS Technet page and installed and configured the Enrollment Point and OoB-Role on
      our Primary Server.

       

      The Certificates we use were newly created via Verisign in the same way we build the working Certificates under SCCM 2007.
      The Web Server Certificates from our PKI was also newly created and implemented. Mei and Heki drivers are installed and
      up to date.

       

      The Client im testing with at the moment has the AMT Version 5.0.1.

      Now I get the Problem, that I can’t provision the workstation via SCCM. When I try to discover the AMT status the amtopmgr.log
      brings the following errors and the client is only shown as detected.

       

       

       

      Discover
      Testclient using IP address 10.37.135.52     SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09        728 (0x02D8)

      STATMSG:
      ID=7203 SEV=I LEV=M SOURCE="SMS Server" COMP="SMS_AMT_OPERATION_MANAGER" SYS=Testprimary.testing.oursite.de
      SITE=P10 PID=5240 TID=7568 GMTDATE=Di Jul 16 06:38:09.468 2013 ISTR0="1" ISTR1="0" ISTR2="0" ISTR3=""
      ISTR4="" ISTR5="" ISTR6="" ISTR7="" ISTR8="" ISTR9="" NUMATTRS=0 SMS_AMT_OPERATION_MANAGER   16.07.2013 08:38:09    7568(0x1D90)

      AMT Discovery Worker: There are 1 tasks in pending list     SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09       7568 (0x1D90)

      AMT Discovery Worker: Wait 20 seconds...        SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09        7568 (0x1D90)

      AMT Discovery Worker: Wakes up to process instruction files  SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09   7568 (0x1D90)

      AMT Discovery Worker: There are 1 tasks in pending list          SMS_AMT_OPERATION_MANAGER    16.07.2013 08:38:09   7568 (0x1D90)

      AMT Discovery Worker: Wait 20 seconds...                               SMS_AMT_OPERATION_MANAGER    16.07.2013 08:38:09    7568 (0x1D90)

      AMT Discovery Worker: Wakes up to process instruction files  SMS_AMT_OPERATION_MANAGER    16.07.2013 08:38:09    7568 (0x1D90)

      DoPingDiscoveryForAMTDevice succeeded.                             SMS_AMT_OPERATION_MANAGER    16.07.2013 08:38:09   728 (0x02D8)

      AMT Discovery Worker: There are 1 tasks in pending list          SMS_AMT_OPERATION_MANAGER    16.07.2013 08:38:09   7568 (0x1D90)

      AMT Discovery Worker: Wait 20 seconds...                               SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09   7568 (0x1D90)

      Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.                SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09        728 (0x02D8)

      **** Error 0x3bb9b550 returned by ApplyControlToken             SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09     728 (0x02D8)

      DoSoapDiscovery failed with user name: admin.                      SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:09     728 (0x02D8)

      Flag iWSManFlagSkipRevocationCheck is set.                        SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10      728 (0x02D8)

      session params : https://Testclient.testing.oursite.de:16993,2011001   SMS_AMT_OPERATION_MANAGER   16.07.2013 08:38:10  728 (0x02D8)

      ERROR: Invoke(get) failed: 80020009argNum = 0                   SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Description: A security error occurred                                       SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Error: Failed to get AMT_SetupAndConfigurationService instance.   SMS_AMT_OPERATION_MANAGER  16.07.2013 08:38:10  728 (0x02D8)

      DoWSManDiscovery failed with user name: admin.                 SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Start Kerberos Discovery                                                          SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Flag iWSManFlagSkipRevocationCheck is set.                       SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      session params : https:// Testclient.testing.oursite.de:16993,2484001   SMS_AMT_OPERATION_MANAGER  16.07.2013 08:38:10  728 (0x02D8)

      ERROR: Invoke(get) failed: 80020009argNum = 0                  SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Description: A security error occurred                                      SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Error: Failed to get AMT_SetupAndConfigurationService instance.   SMS_AMT_OPERATION_MANAGER  16.07.2013 08:38:10   728 (0x02D8)

      DoKerberosWSManDiscovery failed.                                       SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Flag iWSManFlagSkipRevocationCheck is set.                       SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      session params : https://10.37.135.52:16993,2015001           SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      ERROR: Invoke(get) failed: 80020009argNum = 0                 SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Description: A security error occurred                                     SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Error: Failed to get AMT_SetupAndConfigurationService instance.  SMS_AMT_OPERATION_MANAGER  16.07.2013 08:38:10  728 (0x02D8)

      DoWSManDiscovery failed with user name: admin.               SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      Discovery to IP address 10.37.135.52 succeed. AMT status is 1. SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10   728 (0x02D8)

      CSMSAMTDiscoveryTask::Execute, discovery to Testclient succeed. AMT status is 1. SMS_AMT_OPERATION_MANAGER     

      16.07.2013 08:38:10        728 (0x02D8)

      CSMSAMTDiscoveryTask::Execute - DDR written to D:\CM2012\inboxes\auth\ddm.box    SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      CStateMsgReporter::DeliverMessages - Queued message: TT=1201 TIDT=0 TID='Unspecified' SID=10 MUF=0 PCNT=1, P1= ‘Testclient.testing.oursite.de’ P2='' P3='' P4='' P5=''              SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      CStateMsgReporter::DeliverMessages - Created state message file: D:\CM2012\inboxes\auth\statesys.box\incoming\w1p7jxgk.SMX         SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10               728 (0x02D8)

      General Worker Thread Pool: Succeed to run the task
      Testclient.testing.oursite.de. Remove it from task list.    SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      General Worker Thread Pool: Work thread 728 has been requested to shut down.       SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10        728 (0x02D8)

      General Worker Thread Pool: Work thread 728 exiting.  SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:10                728 (0x02D8)

      General Worker Thread Pool: Current size of the thread pool is 0    SMS_AMT_OPERATION_MANAGER     16.07.2013
      08:38:10               5436 (0x153C)

      AMT Discovery Worker: Wakes up to process instruction files  SMS_AMT_OPERATION_MANAGER     16.07.2013
      08:38:29                7568 (0x1D90)

      AMT Discovery Worker: Wait 3600 seconds...    SMS_AMT_OPERATION_MANAGER     16.07.2013 08:38:29        7568 (0x1D90)

      AMT WOL Worker: Wakes up to process instruction files            SMS_AMT_OPERATION_MANAGER     16.07.2013 09:04:22                8572 (0x217C)

      AMT WOL Worker: Wait 3600 seconds...              SMS_AMT_OPERATION_MANAGER     16.07.2013 09:04:22        8572 (0x217C)

       

      We tripple checked the admin account and password but it's the same we use to log in the MEBx and that works without problems.

      Hope someone can share some lightfor this problem.

        • 1. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
          Alan Alderson

          TKremer,

          You should consider using Intel SCS instead of SCCM to provision your vPro clients. The reason I say this is because SCCM still uses SOAP to communicate with AMT during the provisioning process. SOAP was deprecated in AMT 6 in favor of WS-Management. Starting with version 9.0 of AMT, SOAP is no longer supported and any solution that uses it will no longer work.

           

          However, if you wish to continue using SCCM to provision your vPro clients then please try removing the AMT provisioning certificate from the SCCM machine store. After doing that, re-import it directly into the machine store via MMC. There is an intermittent bug with Windows that causes problems if you install the certificate into the current users store and then copy it to the machine store.

           

          -Alan

          • 2. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
            TKremer

            Hello Alan,

             

            thank's for the answer.
            I deleted the certificate from the Servers Personal Store and re-imported it again via MMC.
            The error message stayed the same and the server can't connect to the machine.

            I checked the admin password again but it is correct. The Firewallports are open on both sides. WinRM is configured to allow https on both sides.

             

            We hoped to use the in-band provisioning without SCS and have a autodiscovery and autoprovisioning with SCCM only. But i will try SCS for provisioning. The question is, can i send power-on and other things via SCCM if the client is provisioned with SCS and imported to SCCM. All our machines are already SCCM-Clients.

            • 3. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
              Alan Alderson

              When you re-imported the AMT provisioning certificate did you import it directly into the machine store and not the personal store?

               

              As for provisioning with SCS and managing with SCCM. Yes, SCCM will maintain the same level of control over your vPro clients as before. We are currently updating our SCS Add-on for SCCM to make the process of integration easier.

              • 4. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                TKremer

                Hi Alan

                 

                I re-imported the certificate to the personal store like shown in the most Step-by-Step Guides.
                I searched for a method to install the certificate directly to the machine store but couldn't find one via mmc until now. Could you please tell me how to do this?

                 

                For SCS i tried to implement it with the help of Blair Mullers Blog. Unfortunately i couldn't find the mentioned mof file in the SCS 8.2 download. Is there an estimated time of arrival for the new SCS Add-on?

                Thank's for your help.

                • 5. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                  Alan Alderson

                  I read your reply wrong, I thought you had imported the certificate into the user personal store, not the computers; you are importing the certificate correctly. Please check your system event log for SChannel errors. If you find any please include the hex code from the error.

                   

                  As for the SCS Add-on, we should have an updated version available next week.

                  • 6. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                    TKremer

                    I checked the system event log and found some Schannel errors. The Error describtion is as follows.

                     

                     

                    A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 80.


                    -Provider
                    [
                    Name]
                    Schannel
                    [
                    Guid]
                    {1F678132-5938-4686-9FDC-C8FF68F15C85}

                     

                    EventID36887

                     

                    Version0

                     

                    Level2

                     

                    Task0

                     

                    Opcode0

                     

                    Keywords0x8000000000000000

                     

                    -TimeCreated
                    [
                    SystemTime]
                    2013-07-19T07:44:49.997870900Z

                     

                    EventRecordID14700

                     

                    Correlation

                     

                    -Execution
                    [
                    ProcessID]
                    656
                    [
                    ThreadID]
                    6112

                     

                    ChannelSystem

                     

                    ComputerTestprimary.testing.oursite.de

                     

                    -Security
                    [
                    UserID]
                    S-1-5-18

                     

                    -EventData

                     

                    AlertDesc80

                     

                    I allready searched the net for the specific error but couldn't find anything useful to repair it. It seems to be an SSL error which matches with our problems. I will check the certificates again.
                    Do you have any other suggestions?

                    • 7. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                      Alan Alderson

                      Can you tell me the exact steps you took when reimporting the provisioning certificate back into the local computers personal certificate store?

                      • 8. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                        TKremer

                        No problem, here are my taken steps.

                        1. I opend a console via mmc and used the certificates snap-in for computer account\local computer. That happend on the server that should use the certificate.
                        2. I navigated to Certificates\Personal\Certificates and used the Import.
                        3. I browsed to the location of the Verisign Certificate and opend it.

                        4. I used the Option Place all certificates in the following store: Personal
                        5. Closed the window with Finish. After some seconds I got the message the Import was succesfull.

                        6. In the Certificate store i can see the newly imported certificate.
                        The Certification Path shows me that the certificate chain looks good. Verisign can be found in the Third-Party Root Certification. At the moment, i don't know what went wrong.

                        • 9. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems

                          Hi TKremer

                           

                          I've got almost the same problem. A old SCCM 2007 service on Windows Server 2008 R2 witch can provision AMT 3.2.0 to version 8.1.20.

                           

                          We have created a new Windows 2012 Server with SQL 2012 and SCCM 2012 (Comodo certificate). The team have provisioned AMT 5.1.0 to version 8.1.20 successfully. But we have a lot of machines with AMT 3.2.30. All of these have failed with the same error in the event log. "A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 80."

                           

                          TLS1_ALERT_INTERNAL_ERROR (80) from Event ID: 36887 Source: Schannel

                           

                          amtopmgr.log

                          **** Error 0x1f53b410 returned by ApplyControlToken~  $$<SMS_AMT_OPERATION_MANAGER><07-22-2013 16:52:11.910-60><thread=6940 (0x1B1C)>

                          Fail to connect and get core version of machine C60024001.ccad.canterbury.ac.uk using provisioning account #1.  $$<SMS_AMT_OPERATION_MANAGER><07-22-2013 16:52:11.911-60><thread=6940 (0x1B1C)>

                          Error 0x80090304 returned by InitializeSecurityContext during follow up TLS handshaking with server.~  $$<SMS_AMT_OPERATION_MANAGER><07-22-2013 16:52:11.920-60><thread=6940 (0x1B1C)>

                           

                          At the moment this looks like a Windows Server 2012 problem as one of my colleagues has provisioned AMT version 3.2.30 using Windows 2008 R2 with SQL 2012 and SCCM 2012.

                           

                          I've been working on the changes Microsoft have made to the Security Channel settings in Server 2012 but so far have been unsuccessful.

                          HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\SCHANNEL\

                           

                          Which OS are you on?

                           

                          Tony Bennett

                          Canterbury Christ Church University

                          1 of 1 people found this helpful
                          • 10. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                            Alan Alderson

                            Well, you are definitely importing the certificate correctly.

                             

                            This is a Microsoft bug, and the workaround we were trying of importing the certificate directly into the local computer's personal certificate store isn't working. You will need to either open an MSDN support ticket and have Microsoft take a look at this issue, or use Intel SCS to configure your vPro clients. If you can't wait for the new SCS Add-on, there are instructions on how to manually integrate SCS with SCCM.

                            https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=21696

                            1 of 1 people found this helpful
                            • 11. Re: VPro OoB Managment with SCCM 2012 SP1 CU1 Problems
                              TKremer

                              @Tony Bennett
                              Hi Tony, thank's for the answer.
                              We are using Server 2012 with SQL 2012 and SCCM 2012.
                              In our case even provisioning of version 5 and up dosen't work.

                              @Alan Anderson
                              I will try and implement the Intel SCS to configure the clients.

                              We plan switching our productive systems to Server 2012 and SCCM 2012 at the end of the year so i want to have as much time as possible to test the AMT provisioning and OoB-Functions.

                              Thanks for your help.